Risk assessment

It's not a good practice to run unauthorized software, let alone freeware off a forum, but I had nothing to lose at this point, because I was about to re-install the operating system.

As in many things in life, you were faced with an economic choice: are the potential costs of my decision higher than the potential gain?

To answer that question, you need to take into account:

1) The risk that this freeware will cause damage2) The amount of damage that your download causes when it blows up your system3) The chance that this freeware will fix the problem

Information Security Professionals are often faced with this same problem.

One technique that is commonly discussed, that should be able to help is using risk assessment. A risk assessment method is computing the annualized loss expectancy (ALE). It is calculated by taking the cost of a single event and normalizing that to what it would cost in a year. The theory is that if the (annualized) cost of the investments are higher than the ALE, investing is not worth it.

While this is nice in theory, and also perfectly valid, the method often introduces serious problems when you actually try to use it. For example, determining the cost of a single event is something that is virtually impossible to do ahead of time.

The theory says that the single loss expectancy is determined by the exposure factor times the value of the asset. So, if exploitation of a vulnerability will cause the asset to loss 25% of its value, and the value of the asset is $100,000, the SLE is $25,000.

If there is a chance that the vulnerability manifests itself once every two years, the ALE is $12,500. As a result, investments that cost more than $12,500 per year are not worth making. This method has a number of problems

One of them is that it is hard to assign asset value? The value of a firewall is not just the economic value in the books. How much will a firewall get damaged because of a DoS?

The author of the article referenced in this post took a different approach; instead of calculating the costs, he tried to reduce the risks of his actions, thereby reducing the ALE.

But a noble forum poster who had a good reputation on the forum had written a dedicated program to search out and remove all artifacts of the spyware.

This is an approach that security professionals should follow more often; instead of trying to beat the ALE, we should fiocusing on lowering it. We can do that by designing an architecture in such a way that the (financial) effects of a compromise are minimized, and by reducing the chance that the cost manifest themselves in the first place.

2 Comments

Its always harder to put Humpty Dumpty back together again than stopping him from falling in the first place.

UnknownNov 20, 2012

Keep up the wonderful work , I read few posts on this web site and I think that your web site is real interesting and holds sets of superb information.
http://www.ciocollaborationnetwork.com/blogs/fletch911/right-planning-right-disaster?utm_source=TWA&utm_medium=SEO&utm_campaign=ecf

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.